Biometrics

UK – UK Adopts International Standard for Airport Biometrics

BS ISO/IEC 24713-2 Information Technology: Biometric profiles for interoperability and data interchange (physical access control for employees at airports) has been adopted in the UK. Biometric data interchange format standards and biometric interface standards are both necessary to achieve full data interchange and interoperability for biometric recognition in an open systems environment. The BS ISO/IEC 24713 comes in three parts, under the general title ‘Information Technology: Biometric profiles for interoperability and data interchange’.

• Part 1: Overview of biometric systems and biometric profile

• Part 2: Physical access control for employees at airports

• Part 3: Biometrics-based verification and identification of seafarers [Source]

UK – Blunkett Does U-turn on ID Cards

Former Home Secretary David Blunkett says the government should scrap plans to introduce ID cards for all in favour of mandatory biometric passports. [Source]

US – NIST Report - Automated Latent Fingerprint, Identification Technologies

The National Institute of Standards and Technology (NIST), with the cooperation of eight technology providers performed a test of accuracy for searching latent fingerprints when using automatic feature extraction and matching (AFEM). This test is Phase II of the Evaluation of Latent Fingerprint Technology (ELFT) project. The test was open to both the commercial and academic community, and participants included vendors of Automated Fingerprint Identification Systems (AFIS). This report provides the design, process, caveats, results, observations and conclusions of the test. The primary objective of the test is to determine whether significant latent print examiner time savings can be achieved while maintaining accuracy by not performing manual encoding of the latent fingerprint features. In addition to assessing the overall performance of AFEM latent fingerprint technology, tests were designed to study specific factors expected to significantly impact performance. Insights into the effect of some of these factors may contribute to automated determination of latent fingerprint image quality. To this end, factors analyzed included the effect of gallery size, latent image resolution, supplementary region of interest, latent minutiae count, finger position, and finger pattern classification. [Source] See also: [New Fingerprint Identification Technique Devised]

WW – Fujitsu Develops High-Speed Technology for Palm Vein Biometric Authentication

Fujitsu Laboratories Ltd. Has announced the development of the world’s first imaging technology for use in palm vein biometric authentication that can operate while the palm is in motion. The new technology requires approximately only one millisecond to capture the image, and performs with the same level of accuracy in authentication as previous iterations of this technology, resulting in an extremely user-friendly palm vein authentication system in which a person’s palm needs only to be passed over a sensor for authentication. [Source]

SG – Singapore Immigration Authority to Set Up Centralised Biometrics Hub

The Singapore Immigration and Checkpoints Authority (ICA) is setting up a centralised hub containing biometric data such as facial images and fingerprints of all Singaporeans, permanent residents as well as foreigners staying here. ICA says this is to ensure it continues to provide speedy immigration clearance amid rising human traffic at clearing points. ICA said it cleared about 150 million people last year, seven million more than the figures in 2007. It currently makes use of about five different databases to establish the identity of just one person. The upcoming biometrics hub will provide one-stop biometrics matching services, which ICA says will improve efficiency. ICA will also launch a new initiative that will allow foreigners to submit their applications to become permanent residents online. The first phase of the electronic Permanent Resident System will be launched in July this year. A similar system will also be rolled out for people applying to become Singapore citizens. The electronic Singapore Citizenship (e-SC) application will be ready by the third quarter of this year. [Source]

CH – Young Politicians Warn of Risks of E-Passports

The youth chapters of five Swiss political parties have warned of the pitfalls of introducing new electronic passports and a central fingerprint register. The groups said there was a risk of hackers breaking into an increasing number of databases and lifting personal information from electronic chips of passport holders.

They also said citizens should have a choice between biometric passports and other travel documents. The government argues Switzerland is required to introduce such passports as a member of the European single border area under the Schengen accord. A coalition from a broad political spectrum challenged a parliamentary decision on the issue to a nationwide vote on May 17. The youth chapters launched an online campaign to collect a large number of signatures to force the referendum. The United States is making visa-free entry to its territory subject to an electronic passport containing a chip storing two fingerprints of the holder. [Source]

Canada

CA – Spy Watchdog Raps CSIS for Warrant Mistakes

The Canadian Security Intelligence Service makes a "disconcerting" number of mistakes in applications for eavesdropping warrants, raising potential concerns about liberties and privacy, says a watchdog over the spy agency. In a top secret report, CSIS Inspector General Eva Plunkett criticizes the agency for failing to comply with policy, a lack of written documentation on important matters and gaps in the service rules. Plunkett said in an interview the spy service hasn't moved quickly enough to create up-to-date guidelines for an era when it is operating around the world against terrorism, not just keeping an eye on spies at home. "Any organization has a hard time keeping its policies up to date," she said. "But when you have the kind of intrusive powers that the service has, I think it's essential that there's a guidebook for people to follow." A declassified version of Plunkett's report to Public Safety Minister Peter Van Loan for 2007-08 was obtained by The Canadian Press under the Access to Information Act. [Source]

Consumer

CA – Canadians Concerned Corporate Cost Cutting Could Affect Their Privacy: Poll

Canadians are worried their privacy rights could suffer because of corporate cost-cutting during the economic downturn, a new poll for the Office of the Privacy Commissioner of Canada has found. The poll shows 87% of Canadians are concerned that businesses may choose to spend less to protect customers’ personal information during a time of economic uncertainty. The poll also found that many people are failing to take some basic steps to protect themselves against identity theft and other types of fraud involving personal information. Half of Canadians (50%) carry sensitive documents such as Social Insurance Number cards and birth certificates in their wallets or purses. Only 18% had ever ordered a copy of their credit report to verify its accuracy. And less than a third of Canadians (30%) use passwords to protect information on portable digital devices. On a more positive note, most people (92%) say they check their bank and credit card statements for accuracy and 85% shred or destroy documents that contain personal information. [Source] [News Release] [Final Report: Canadians and Privacy]

US – Study: Table-Style Privacy Policy Most Effective

The results of privacy policy research commissioned by the U.S. government show that a table-style policy is best understood by bank customers. The table format won out over the more typical solid text format in the study of 1,000 people. The government ordered the research to determine whether typical text-based notices are effective in communicating privacy information to customers. The researchers created three different "fake" notices for testing. "The testing indicates that the [table notice] rates the highest on a diverse set of communication effectiveness measures," the study's authors reported. [Source] [Research Report]

E-Government

UK – UK Government Wants Phone and Internet Providers to Track Users

The home secretary, Jacqui Smith, has ruled out building a single state “super-database” to track everybody’s use of email, internet, text messages and social networking sites such as Facebook and Twitter. Smith said creating a single database run by the state to hold such personal data would amount to an extreme solution representing an unwarranted intrusion of personal privacy. Instead the Home Office is looking at a £2bn solution that would involve requiring communications companies such as BT, Virgin Media, O2 and others to retain such personal data for up to 12 months. [Source]

UK – Home Secretary Says Government Will Not Have Central Electronic Traffic Database

UK Home Secretary Jacqui Smith has said the government will not create a central database of communications data. Instead, the government is asking telecommunications companies to retain logs of Internet and telephone traffic, including website visits. Smith says the companies would be required to keep records of who called whom, when the communication occurred, where the parties were when the communication occurred and what method of communication the parties used; no conversation content would be kept. [Source] [Source]

UK – Criminals’ Sentences to be Posted on Website 'To Show Justice is Being Done'

Crime victims will be able to track what happens to convicted criminals in their area using a new online service, Jack Straw announced. The Justice Secretary will say he wants justice to be 'seen to be done'. Under the proposals, ministers will make available online the punishments handed to burglars, muggers and other criminals convicted by the courts. At present, the public would have to turn up to court to sit through a hearing or rely on a local newspaper reporter being present. The websites will build on the popularity of existing crime maps, which detail what types of offences were committed and where. [Source]

US – Lost Memory Stick Held Data on Agents and Informants in International Drug Case

Three years after the fact, UK’s Serious Organized Crime Agency (SOCA) has acknowledged that a lost memory stick caused it to abandon a major drug case. The memory stick, which was in a purse inadvertently left on a shuttle in the airport in Bogota, Colombia, held specifics about five years of intelligence work as well as information about dozens of intelligence agents and informants. The device was not encrypted. The agent responsible for the device was recalled to London. The cost of the scrapped operation was estimated to be GBP 100 million (US $146.2 million). SOCA says its data handling procedures have been improved. [Source] [Source]

E-Mail

CA – Anti-Spam Legislation Will Overhaul Do-Not-Call List

Four years after the National Task Force on Spam unanimously recommended that the Canadian government introduce anti-spam legislation, last Friday the government tabled Bill C-27, the Electronic Commerce Protection Act. The ECPA provides that marketers must obtain consumer consent before sending commercial electronic messages (including e-mail and text messages). While the introduction of anti-spam legislation is long overdue, one of the most significant changes was not reported or even included in the government’s briefing materials. Buried at the very end of the 69-page bill are provisions that would lay the groundwork to kill the National Do-Not-Call List. The proposals are very complicated, but boil down to the repeal of the provisions that govern the list. In its place, an opt-in would apply, meaning that Canadians would no longer need to register their phone numbers on a do-not-call list. Instead, the presumption would be that telemarketers could not call without prior consent. The ECPA would also bring with it stronger penalties (up to $10 million) and fewer exceptions. [Source] [Bill C-27] [Industry Canada press release]

Electronic Records

US – Mayo Clinic Backs New Personal Health Record Site

The Mayo Clinic has combined its medical expertise with Microsoft’s technology in a free Web site launching that will let people store personal health and medical information. The Mayo Clinic Health Manager uses Microsoft’s HealthVault system to store medical histories, test results, immunization files and other records from doctors’ offices and hospital visits, along with data from home devices like heart rate monitors. Anyone can sign up for an account, not just Mayo Clinic patients. Users can give access to different slices of their health information to doctors and family members as the need arises. Privacy advocates urge people who want to set up a personal health record online to read the fine print. Deven McGraw, director of the health privacy project at the Washington-based Center for Democracy and Technology, said sites like the Mayo Clinic Health Manager aren’t currently covered by national laws that specify cases in which health care systems can access and share information without patients’ consent. [Source]

Encryption

WW – New Standard for Encrypting Card Data in the Works; Backers Include Heartland

The same organization that led the development of security standards for payment-card magnetic stripe data and PIN-based transactions will soon begin work on a new specification for encrypting cardholder data while it is in transit between systems during the transaction process. And among the companies in the forefront of the effort is Heartland Payment Systems Inc., the Princeton, N.J.-based payment processing firm that announced in January what some analysts think could end up being the largest data breach involving credit-card information thus far. The Accredited Standards Committee X9, which is accredited by the American National Standards Institute, is set to launch an initiative formally known as the Sensitive Card Data Protection Between Device and Acquiring System program. ASC X9 develops and maintains numerous standards for the financial services industry in the U.S., and participants said this week that the goal of the new effort is to develop a data encryption standard to protect information from the moment a card is swiped at a payment register to the end of the transaction chain at a so-called acquiring bank. [Source]

WW – Vendors Release Password Cracking, Management Tools for Full Disk Encryption

As full-disk encryption becomes increasingly used to protect data, new software tools that can recover lost passwords or change forgotten ones are being released. Russian security company ElcomSoft specializes in software that can crack unknown passwords for a variety of software programs. The company's latest upgrade to its ElcomSoft Distributed Password Recovery (EDPR) product increases the speed at which passwords can potentially be recovered from the hard disk with PGP encryption. [Source]

EU Developments

EU – Telecom Commissioner Calls for Cyber Security Tsar

European Union (EU) telecommunications commissioner Viviane Reding says that the EU needs a “Mister Cyber Security” to take the lead in defending its communications infrastructure from cyber attacks. Reding considers the efforts of the EU’s 27 member states to secure communications networks to be “quite negligent,” and points to the May 2007 attacks against Estonian government, financial and other commercial sites as an example of what could happen. A cyber security tsar would have the authority to take immediate steps in the event of such an attack. [Source] [Source] See also: [NYT: U.S. Steps Up Effort on Digital Defenses]

UK – Street View Nod Prompts Call for Privacy Watchdog Reform

The London-based Privacy International (PI) group is asking government officials to reform the Information Commissioner’s Office (ICO). PI founder Simon Davies described the ICO’s response to the organisation’s recent Google Street View complaint as the final straw in a 10-year long “undermining of core data protection principles.” PI had asked the commission to order Street View’s suspension until legal considerations could be resolved, but the ICO last week defended its stance that the feature did not breach UK data protection law. “We fear the [ICO] is content to uphold fringe cases....while allowing new technologies to cut a vast swathe through privacy,” PI said. [Source]

Facts & Stats

US – The Real Costs of Laptop Loss: Ponemon Study

A study released by Intel and the Ponemon Institute last week, entitled, "The Cost of a Lost Laptop" analyzes information on missing and stolen laptop cases from 29 companies during the past 12 months. The resulting report contains some interesting information that might help sway companies' decisions when determining if whole-disk encryption, laptop recovery software, or remote destruction software is needed. Numbers like $49,346 as the averags cost of a lost laptop is certainly enough to turn some managerial heads. The report associates seven different costs with the losses, including equipment replacement, forensics and investigations, data breach, and intellectual property, to provide a thorough picture of actual costs with lost electronics. One of the key points was that having a full backup of the data from the lost laptop actually increased the average cost of the lost laptop. [Source]

Filtering

CA – Ottawa Finally Announces Anti-Malware Legislation

Almost four years after a national task force tabled its recommendations for attacking spam, Ottawa has introduced legislation it claims will protect consumers and businesses from the most dangerous and damaging forms of malware. However, an industry analyst doubts the law on its own will have much effect. The Electronic Commerce Protection Act, tabled in Parliament last Friday, would give the CRTC, which regulates Internet and wireless providers, and the federal Competition Bureau the right to charge Canadian-based senders of malware with breaking the law and face up to $10 million in fines for an organization or $1 million for an individual. The two departments and the federal Privacy Commissioner will be given the power to share information and evidence with their counterparts in other countries to help enforce similar laws internationally. The proposed act also would give businesses and consumers the right to sue Canadian-based senders of malware. [Source]

Finance

CH – Switzerland: Meeting IRS Demands Would Violate Criminal Laws

UBS AG, responding to a U.S. lawsuit, said revealing the names of 52,000 American customers would require it to violate Swiss criminal laws barring such disclosures, the Zurich-based bank said in a court filing. UBS, Switzerland's largest bank by assets, responded yesterday in federal court in Miami to the Feb. 19 lawsuit, saying the U.S. action seeks to trample on Swiss sovereignty by trying to enforce summonses from the Internal Revenue Service. Such a request also would violate tax treaties between the U.S. and Switzerland, according to the filing. "The IRS now asks this court to force a Swiss financial institution and its employees, over the express objection of the Swiss government, to violate Swiss law by producing a massive quantity of confidential account information located exclusively in Switzerland," according to the bank's response. The lawsuit came one day after UBS avoided U.S. prosecution for helping wealthy Americans evade taxes. UBS agreed to pay $780 million in penalties, admitted it helped taxpayers hide money in Swiss accounts, and gave the IRS more than 250 client names. Two UBS clients have been prosecuted for tax crimes since then, and the IRS is encouraging others to avoid criminal charges by disclosing their offshore accounts voluntarily. [Source]

FOI

CA – MPP Pushes for Transparency

Liberal Niagara Falls MPP Kim Craitor’s private member’s bill, aimed at improving transparency in government, passed second-reading at Queen’s Park, an important step on its way to becoming law. “Democracy is well served when everybody has the same facts... A knowledgeable public is an engaged public,” Craitor said during Thursday’s debate at Queen’s Park on the Transparency in Public Matters Act. If Bill 159 is passed, it would require a long list of public agencies to hold their meetings in public and establish financial penalties for individual board members who fail to do so. The bill suggests Ontario’s Information and Privacy Commissioner be empowered to investigate meetings where government boards don’t meet in public. There are more than 400 provincial agencies that account for 80% of provincial government spending. Ontarians should be entitled to scrutinize how those agencies operate, Craitor said. The transparency bill was referred to the standing committee on general government. [Source]

WW – Google Unveils New Tool to Dig for Public Data

Google launched a new search tool designed to help Web users find public data that is often buried in hard-to-navigate government Web sites. The tool, called Google Public Data, is the latest in the company's efforts to make information from federal, state and local governments accessible to citizens. The company plans to initially make available U.S. population and unemployment data from the Census Bureau and the Bureau of Labor Statistics, respectively. Other data sets, such as emissions statistics from the Environmental Protection Agency, will roll out in the coming months. Google is one of a number of Internet properties, including Wikipedia and Amazon, that has been trying to make it easier to find government information on the Web. [Source]

Genetics

US – Colorado Senate Backs DNA Tests in Felony Arrests

The Colorado Senate has passed a bill requiring anyone arrested for a felony to submit a DNA sample. Senate Bill 241 passed by a vote of 28-7 Monday and now goes to the House. Currently, only people who are convicted of crimes must submit DNA. Backers say testing people at the time of arrest will help catch criminals and save lives by running the DNA against evidence from other cases. But opponents say it blurs the line between accusation and conviction and that DNA information from innocent people shouldn't be put in a criminal database. Democratic Sen. John Morse said only 13 of the millions of DNA markers available will be recorded in the database for each person. People who aren't charged can ask for their record to be removed. [Source]

Health / Medical

US – Vermont Prescription Data Mining Decision Upheld

In a ruling described as a “major victory for medical records privacy,” a federal court in Vermont has upheld a law banning pharmaceutical companies from data mining prescription information for marketing purposes. The law aims to stamp out drug companies’ practice of purchasing prescribing data from pharmacies in order to learn physicians’ prescribing habits and tailor sales pitches accordingly. Several companies appealed the original ruling, citing their First Amendment right to freedom of speech. New Hampshire and Maine have similar laws on the books. [Source] [Federal Judge Upholds Vermont's Prescription Data Marketing Law] [Modern Healthcare reports]

CA – Ontario Info & Privacy Commissioner Releases Surgical Privacy Checklist

Ontario's Information and Privacy Commissioner, Dr. Ann Cavoukian, has been so moved by an initiative by the World Health Organization (WHO) to enhance surgical safety that she delivered a special message today to Ontario hospitals, with whom she has been working closely for the past five years, ever since the introduction of Ontario's Personal Health Information Protection Act. On the same day that a leading forum sponsored by the Canadian Patient Safety Institute on patient safety and quality improvements opens in Toronto, the Commissioner is releasing a paper, "Surgical Safety Checklist: A Must for Hospitals Performing Surgery", that links one of the key principles of information privacy - data accuracy - to the Surgical Safety Checklist developed by WHO and implemented by Toronto's University Health Network, comprised of three major hospitals. [Source] [Checklist] [Source]

US – EMR Adoption Higher in States With Fewer Privacy Rules: Study

State laws in place to protect patients' confidentiality may be causing some hospitals to be more skittish about adopting electronic medical records systems, a factor that could impede the push for the industry to go paperless, a study says. Researchers from MIT and the University of Virginia recently concluded that state privacy regulations reduce aggregate EMR adoption by between 20% and 30%. States that got rid of some of their regulations experienced a 21% gain in hospital EMR adoption rates around the years the laws changed compared with just an 11% gain in states that kept them intact, said the study. The authors concluded that state laws could hinder the federal government's goal of achieving industry-wide interoperability. Cost is the No. 1 reason hospitals don't adopt EMR systems. Tucker used data from 1995 to 2005 . More than 2,900 hospitals were analyzed. The researchers measured adoption rates by whether hospitals had installed or were in the process of installing enterprise EMR systems or basic software with the capability for potential add-ins, such as clinical decision support and data repositories. The study's findings were met with skepticism from some privacy advocates, who argued that uniformity exists between the states regarding privacy laws, contrary to what the researchers concluded. Deborah Peel, MD, a psychiatrist and chair of the Patient Privacy Rights Foundation, a watchdog group based in Austin, Texas, said many states have laws that follow the standards set in the American Medical Association's Code of Medical Ethics, which helps provide strong protections for health information. "The idea that there are somehow states in the U.S. that have vastly different laws protecting health information privacy is a fallacy," Dr. Peel said. If any factors are impeding EMR adoption, they are cost and system architectural designs that make them hard to maintain and support, she said. Dr. Peel said she's concerned that policymakers could look at this study and use it as a rationale for scaling back patient privacy protections, which she said are jeopardized as it is by the private data-mining industry. "It's far more lucrative than taking care of sick people. The data is going everywhere we don't want it to go. And the two people who should have it – the patient and their doctor – can't get their hands on it." [Source]

Horror Stories

US – Unencrypted Laptop with 1 Million SSNs Stolen from Oklahoma State

The sensitive personal information of more than a million Oklahomans has been compromised. The information, including names and Social Security numbers, was stored on a laptop that was stolen from an employee’s vehicle on April 3. The laptop was password-protected, but unencrypted. Affected residents include those who have received benefits from Medicaid, child care assistance, nutrition aid and disability programs, the report states. “We feel this was not a situation where someone was targeting the agency or that information,” said DHS spokesperson Mary Leaver. “We feel it was random.” The state Inspector General’s office is investigating and the agency is notifying those affected. [Source] See also: [New Brunswick health officials admit patients' data lost]

US – LexisNexis Says its Data Was Used by Fraudsters

LexisNexis has cknowledged that criminals used its information retrieval service for more than three years to gather data that was used to commit credit card fraud. LexisNexis has started warning about 32,000 people that "a few" customers used its service to help them illegally obtain credit cards. "These individuals were operating businesses that at one time were both ChoicePoint and LexisNexis customers," the company said in a notification letter that it began sending out Friday. To perpetrate the scam, the fraudsters would set up fake mail boxes and then use information obtained on LexisNexis to open credit cards in the victims' names. The criminals were able to obtain names, dates of birth, and even Social Security numbers from the data broker. In 2006, ChoicePoint paid US$15 million to settle a lawsuit with the U.S. Federal Trade Commission after scammers allegedly used ChoicePoint's data services for ID fraud. LexisNexis's parent company, Reed Elsevier, purchased ChoicePoint last year for $4.1 billion. LexisNexis apparently waited a long time to notify victims at the request of the U.S. Postal Inspection Service. The fraud was stopped on Oct. 10, 2007, LexisNexis said, but the breach notification letters were not sent out until now. A LexisNexis spokesman could not say definitively when the company became aware of the breach. [Source] [LexisNexis warns 32,000 people about data breach]

Internet / WWW

WW – Google Begins Tracking Swine Flu in Mexico

Google is trying to compile information from swine flu-related Google searches in Mexico to map out how the disease is spreading through the country. The Mexican effort is based on Google Flu Trends which the company launched last November in the United States. At the time, Google officials said that they had found a connection between people searching for flu information and the number of people who actually have the flu in any given area. "Google Flu Trends may be able to detect influenza outbreaks earlier than other systems because it estimates flu activity in near real time," said Jeremy Ginsberg, one of the engineers on the Google Flu Trends project, during a press conference. Ginsberg acknowledged that the new effort, dubbed “Experimental Flu Trends for Mexico” may produce somewhat faulty data due to the lack of available current information from the Mexican government. [Source]

Location

UK – Privacy Stir Over Satellite

A new communications satellite funded by the EU is causing a stir in the privacy lobby. Called Gallileo, the satellite could be the key for the government to install black boxes in every new car which could have its position pinpointed. The original worries were that the satellite would enable every car to be tracked for road charging - which is still lurking in the pending tray. Now there are fears from bodies such as the Association of British Drivers that the satellite will be the eye of Big Brother. It is envisaged that vehicles will emit a constant “heartbeat” revealing their location, speed and direction of travel. The EU’s spin on the satellite is that it will significantly reduce road accidents, congestion and carbon emissions and some car manufacturers have indicated that a black box could be installed in all new cars as early as 2013. Nothing over the satellite’s tracking has been publicly admitted but it is understood that it could trace a vehicle to within a metre. At the moment The Department for Transport says there are no plans to make installation of the technology mandatory. But if manufacturers are already involved then the writing is on the wall. [Source]

CA – Cell Networks Being Upgraded to Find 911 Callers

Most 911 emergency calls now are made from cellphones and it will be a challenge to get technology in place by next year to pinpoint their locations, says the head of the Canadian Wireless Telecommunications Association. New systems are being tested that will provide a more precise location of a 911 caller on a mobile phone, Bernard Lord, former Premier of New Brunswick, said this week. But he cautioned against the “false impression that it’s just like the movies” when it comes to 911 service on mobile phones. The Canadian Radio-television and Telecommunications Commission has given mobile network operators until February to provide location service. This means 911 call centres and traditional phone companies also have to make upgrades. [Source]

Online Privacy

NZ – Nearly Half of Kiwi Teens Post Sensitive Info Online

Latest findings from internet safety watchdog NetSafe has found that a disturbing number of New Zealand teenagers post sensitive information about themselves online. Netsafe's Convergence Generation research project - released to coincide with Privacy Awareness Week - compiles information gathered from 1700 Kiwi high school students. It found that a staggering one in two students had posted information about themselves in public online spaces in the past 12 months. This included social networking sites like Bebo and Facebook where privacy settings had been set to allow public access. Instant messaging IDs and email addresses were posted by 30 % of students, as were full names as well as photos and content that "they wouldn't want someone who didn't like them to find," says NetSafe. Mobile phone numbers were posted online by 14% of respondents and home addresses were made available by 3% [Source]

WW – Blocking Phorm Won’t Stop It, Warns Privacy Group

A group that encouraged large technology firms to opt-out of a controversial behavioural advertising firm’s efforts to track their users’ web activities admits that opting out won’t stop the technology from working. The Open Rights Group encouraged firms to e-mail Phorm about its Webwise platform, which is set to launch with Internet service providers BT, Virgin Media and TalkTalk soon. Some companies have asked Phorm to remove their domain names from its scanning reach, but Open Rights Group executive director said that Webwise will still be able to profile those sites’ users, and that opting out is not enough. [Source]

Other Jurisdictions

AU – Exposure Drafts on Privacy Bills Released

The Queensland Government has released an exposure draft of the Information Privacy Bill 2009. The bill intends to govern public sector agencies' handling of personal information. The draft includes Information Privacy Principles for government agencies and Queensland Health. The measure also includes requirements surrounding third-party service providers' handling of personal information and calls for establishing a Queensland Privacy Commissioner. The new legislation follows a Freedom of Information Act review that resulted in 141 recommendations for reform. The government has also released an exposure draft of a bill to replace the Freedom of Information Act 1992. [Source]

Privacy (US)

US – Supreme Court Judge: Free Speech Trumps Privacy Online

Some lawmakers are talking about enacting new online privacy laws, but at least one U.S. Supreme Court Judge has indicated that such laws might not be constitutional. Earlier this year, conservative judge Antonin Scalia said new privacy laws would conflict with the First Amendment. The remarks, made at an event held by the Institute of American and Talmudic Law, were in response to comments made by Jules Polonetsky, co-chair and director of the think tank Future of Privacy Forum. Polonetsky outlined the various ways that data is collected across different Web platforms and proposed that people need some assurances that the information won't be used against them. Scalia responded that the First Amendment would prevent much of the privacy protection that Polonetsky seemed to favor. Fordham Law professor Joel Reidenberg apparently took Scalia's original statement as a challenge and assigned a class the task of compiling publicly available data about the judge. Students quickly put together a file that included Scalia's home address, phone number, wife's email and photos of his grandchildren, the blog Above The Law reported. The stunt doesn't appear to have changed Scalia's mind. The judge told Above The Law that he stood by his earlier remark. "It is silly to think that every single datum about my life is private," he wrote. "It is not a rare phenomenon that what is legal may also be quite irresponsible. That appears in the First Amendment context all the time." Scalia's thoughts on the matter are significant because he might end up ruling on the legality of any new online privacy laws. The tension that has long existed between free speech principles and privacy protections also exists in the context of online data collection for ad-serving purposes. There, it's marketers that are collecting the data, and they're using it behind-the-scenes rather than broadcasting it to the world. But some say that free speech principles still protect those actions. The Newspaper Association of America, for one, argued against voluntary FTC guidelines about behavioral targeting on the theory newspapers have a First Amendment right to serve whatever truthful ads they wish. It looks like the newspaper group has at least one ally in high places. [Source] [Source]

US – CDT Cautions about DPI Technologies; Urges Baseline Consumer Privacy Law

Leslie Harris, President and CEO of CDT testified before the House Energy and Commerce Subcommittee on Communications, Technology and the Internet telling the congressional panel that Deep Packet Inspection (DPI) technologies pose a serious challenge to privacy and the openness and innovation of the Internet. Because all applications of DPI raise serious privacy concerns owing to the interception and analysis that's done on all of a user's Internet traffic, policymakers must carefully consider each use of DPI and balance the perceived benefit against the risks to civil liberties, Harris said. CDT believes that only rare uses of DPI will be acceptable after such examination and then only with additional privacy safeguards including enactment of baseline consumer privacy legislation. At the hearing, Subcommittee Chairman Rep. Rick Boucher (D-VA) restated his intention to introduce a comprehensive consumer privacy bill this year. [Source]

US – Obama, Congress to Revisit Real ID

Congress and the Obama administration are considering ceding key ground in a long-running battle between the federal government and the states over Real ID, the 4-year-old federal program that requires all states to start issuing more secure driver's licenses by the end of the year. Proposed legislation being circulated on Capitol Hill would give states more time, flexibility and money to meet federal Real ID requirements. For the nation's more than 245 million drivers, the legislation would allow them to keep using their current driver's licenses to board commercial flights or enter federal buildings for the foreseeable future. Under Real ID, residents of states that do not meet a checklist of license upgrades would be unable to use those licenses for federal purposes beginning in January. The congressional proposal may have the backing of the Obama administration. In an appearance Wednesday (April 22) in Washington, D.C., Homeland Security Secretary Janet Napolitano gave the clearest indication to date that the administration plans to push for changes that are favorable to the states. [Source]

US – Maine Bill Seeks Partial Repeal of Real ID

Portions of a law passed begrudgingly last year to bring Maine into compliance with the federal Real ID anti-terrorism would be repealed under a bill before the Transportation Committee that seeks to eliminate a requirement that Maine driver's licenses and state IDs be issued only to those who prove they are legally present in the United States. It also would prohibit the use of biometric technology, such as retinal scans, facial recognition or fingerprint technology, in the production or storing of license information. The bill also would drop a call for more study into facial recognition or fingerprint technology. The Maine Civil Liberties Union's Shenna Bellows said the law "drives immigrants into the shadows" and violates 14th Amendment due process and equal protection guarantees. [Source] [A Civil Liberties Debate Over Real ID Law]

US – Massive FBI Data-Mining Project Needs Congressional Oversight: EFF

The Electronic Frontier Foundation (EFF) has called on Congress to examine the Investigative Data Warehouse (IDW) – a massive FBI data-mining project that includes a billion records, many of which contain personal information on American citizens. Supporting its request, EFF provided Congress with its new report on IDW, published with information obtained through Freedom of Information Act (FOIA) litigation. "A data warehouse of the size and power of the IDW requires strict oversight from Congress and the public," said EFF Senior Staff Attorney Kurt Opsahl, who authored the new report. "The IDW includes more than four times as many documents as the Library of Congress, and the FBI has asked for millions of dollars to data-mine this warehouse, using unproven science in an attempt to predict future crimes from past behavior. We need to know all of what's in the IDW, and how our privacy will be protected." [Source]

Privacy Enhancing Technologies (PETs)

WW – Microsoft: How to Study Search Data Without Risking Privacy

Data on Internet search queries is a potential gold mine for researchers, as a glimpse into the minds of the online population. But despite efforts to keep that data anonymous, its release is a mine field for personal privacy, as evidenced by AOL’s legendary 2006 “screw up.” Now some Microsoft researchers say they’ve come up with a way to release and study search data without risking privacy. The company is quick to add that it doesn’t have any plans to release search data in this way. But if anyone else is brave enough to give it a try, the approach is detailed in a Microsoft paper. The trick is an algorithm that produces what the researchers call a “private query click graph” that shows queries and URLs, giving weight to different URLs based on the number of users who clicked on them after making particular queries. “While this graph is not as powerful as the actual search log, many computations can still be performed on the click graph with results similar to the actual search log, e.g., finding similar queries, keyword generation, and performing spell corrections,” the researchers write. [Source]

Security

WW – Survey: Jail Sentence for CEO a Fitting Punishment for Data Breach

A survey of more than 100 IT security professionals at the eCrime Congress in London last month revealed that 66% feel that C-level executives and boards should be held responsible in the event of a data breach, reports CSO. 30% feel that jail time for CEOs or board members is an appropriate punishment for a serious breach. Respondents included security professionals and senior managers from government, public and private sector organizations in 21 nations. Although the majority of respondents (93%) feel the economic downturn is putting increased pressure on companies to protect data, 46% feel that preventing data loss is not currently an organizational priority due to cost-cutting measures. [Source]

CA – Taxpayer Data Languishing in Stockpiles of CRA Hard Drives

The revenue agency has only now completed an analysis of disk-erasing tools in response to an October 2007 warning from the RCMP to obtain better software that will wipe sensitive taxpayer data from hard drives. One security expert said the CRA is hindered by its own bureaucracy. The Canada Revenue Agency said that while a 2008 audit revealed it had still not found effective software for deleting sensitive taxpayer data from hard drives following a warning from the RCMP in 2007, the agency does expect to have new software in place by September of this year, according to a spokesperson. In the meantime, there are hard drives containing sensitive data that have been stockpiled in the absence of a better disk-erasing tool, acknowledged Workman. [Source]

Surveillance

US – DoJ Faulted for Failing to Follow Surveillance Reporting Requirements

Following the release of an annual report this week about wiretaps requested by state and federal law enforcement agencies comes a complaint from EPIC that the government has been derelict in its duty to report other surveillance statistics having to do with "pen register" and "trap and trace" orders. In a letter sent Wednesday to Senator Patrick Leahy (D - Vermont), chairman of the Senate Judiciary Committee, EPIC noted that the Justice Department had failed to report the use of such surveillance as required by the federal Electronic Communications Privacy Act of 1986. Furthermore, EPIC said it appeared that DoJ failed to submit any subsequent reports at all for the years 2004 through 2008. EPIC is asking Leahy to make public all reports for 2004 forward if Congress received them and to publicly disclose any future reports as a matter of course. Currently, the reports can only be obtained through Freedom of Information Act requests to the DoJ's Office of Legislative Affairs. [Source] See also: [Wiretap Applications Down in 2008]

US – California Town Pushing Police-Monitored Residential Video Surveillance

California Police detective Sherman Hall said there is only one reason the APD owns and operates its own central station: a competitive edge. The police department's central offers free monitoring of intrusion alarms for residents, and now free video monitoring. However, when asked about competing with area monitoring companies, Hall says APD maintains the edge over the would-be criminals in its jurisdiction, not over the security industry. "The idea is that by cutting out the middle man-the alarm monitoring service-we expedite our response time. The alarm comes in to us in a matter of a minute or two, versus some of our residents who use the other monitoring services where there can be a delay of five to seven minutes by the time they go do their verification and then call us," Hall said. "If we get an alarm, we go out there and then deal with the verification later when we're actually on the scene." Atherton is the rare town where the cops are unconcerned with false alarms. [Source]

Telecom / TV

AU – Court Finds Telstra Misused Optus Customer Data

OPTUS has won a Federal Court ruling against Telstra in which it was alleged that Australia’s dominant telco misused Optus' confidential information for its own marketing gains in the 1990s. Optus claimed that in the period 1993 to 2000, Telstra breached an access agreement by obtaining confidential information about Optus' long distance telephony traffic. The traffic information, which included the number of calls made, the source of call, the destination, duration, time, kind of call and value, was used to track the success of Optus' marketing campaigns. This information was provided by Telstra Wholesale to Telstra Retail where it was used to launch marketing and advertising attacks in the long distance call market in a bid to lure customers away from Optus. The sharing of information between Telstra's wholesale and retail arms also allowed the telco to monitor in real time, the success of Optus' marketing initiatives and special offers. "There can be no doubt that in preparing the market share reports Telstra used traffic information of Optus; certainly not every element of such information, but at least the aggregate quantity of Optus' traffic that travelled over Telstra's network ... perhaps more," Justice Richard Edmonds said in his ruling. [Source]

EU – Second Swedish ISP Decides to Nuke IP Address Logs

Another Swedish ISP has decided not to retain customer IP records in an attempt to protect user anonymity. Tele2 announced this week that it plans to start deleting all IP records after they had been used internally—a move that is still legal under Swedish law, but is beginning to irk law enforcement. Tele2 is the second major ISP to announce such a plan this month. The first was Bahnhof, which said earlier this month that it refused to keep any log files to hand over to authorities. Both ISPs are reacting to IPRED, the Intellectual Property Rights Enforcement Directive. The Swedish incarnation of this European directive went into effect on April 1, and it allows courts to force ISPs to turn over user data in cases of suspected copyright infringement. Because of this loss of anonymity, Internet traffic in Sweden saw an immediate drop. Tele2 and Bahnhof may not be able to skirt authorities like this forever, though. The EU passed the Data Retention Directive in 2006, which requires member countries to retain data from between six months to two years. Some countries have already implemented the directive, although Sweden has chosen to ignore it while a challenge makes it sway through the EU court system. [Source]

US Legislation

US – California Breach Bill Moves to Assembly

A bill to enhance California’s security breach notification law passed in the state Senate yesterday and now moves to the Assembly for approval. If passed, SB 20 would require compromised entities to divulge the date of the breach and the types of personal information affected. It would also mandate that the state Attorney General’s office be notified in the event of a breach affecting more than 500 residents. “While the bill makes relatively modest changes to California’s existing [breach] law, these changes are vitally important and will greatly enhance identity theft protection for Californians,” said Beth Givens of the Privacy Rights Clearinghouse. [Source]

US – California Bill Would Protection for Personal Records Abandoned at Offices

Social Security numbers, medical records and other personal data could get more protection from disclosure if a bill that passed its first legislative review Tuesday becomes law. Assembly Bill 1094 by Assemblywoman Connie Conway, R-Tulare, is intended to plug a legal hole on how landlords should handle personal records that are abandoned in their offices, storage sheds or other property. Right now the law spells out the responsibility of the business that owns unwanted records to dispose of them so that they are unreadable. But the law isn't as clear on the duty of a landlord who ends up with the records and can't find the owner. [Source]

US – Nevada Lawmakers Discuss Identity Theft Prevention Plan

A Senate panel was urged to support an Assembly-approved plan that would help prevent identity theft by making less credit card information available on printed receipts. AB389 would prohibit printing more than the last five digits of credit card numbers and expiration dates on copies of customer and business receipts, Senate Judiciary Committee members were told. Assemblywoman Bonnie Parnell, D-Carson City, chief sponsor of AB389, displayed a receipt listing a complete credit card number and expiration date along with the cardholder's full name, saying the amount of information was "alarming." [Source]

US – Tennessee House Speaker Breaks Tie On Medical Privacy Bill

House Speaker Kent Williams has stepped in to break a tie on a proposal to give parents full access to their children's medical procedures and tests. The proposal sponsored by Rep. Tony Shipley, a Kingsport Republican, was advanced out of the Criminal Practice and Procedure Subcommittee on a 4-3 vote. All three votes against the measure came from Democrats. Williams, a Republican, has the power to vote on any House panel. Bills need majority votes to advance. Shipley's bill would require doctors to provide copies of written results of any test or procedure performed on a minor within 24 hours of a parent or guardian making the request. Legislative analysts warn the proposal could jeopardize about $6.5 million in federal family planning funding that carries privacy requirements. [Source]

US – Florida Prescription Tracking Bill Heads to Governor

Florida's role as the nation's leading supplier of prescription drugs obtained for illicit purposes could be reduced, if not ended, by a bill that was sent to Gov. Charlie Crist on Thursday. The measure would set up a prescription tracking system designed to crack down on "doctor shopping" by addicts and drug dealers who flock to Florida from throughout the Southeast. That's because their own states already collect data on pain killers such as oxycodone and other potentially lethal drugs dispensed by pharmacies and clinics. Florida is the largest of only 12 states without such tracking systems. Authorities say it's a trade that's claiming thousands of lives because of overdoses. An average of nine people a day die in Florida from abusing prescription drugs, three times the rate for other drugs, said the House sponsor, Rep. Marcelo Llorente, R-Miami. [Source]

US – Indiana State Bill to Help Victims of Identity Theft

A bill that calls for significant upgrades in identity theft detection as well as crackdowns on the crime's perpetrators is an anticipated Gov. Mitch Daniels' signature away from approval. With it being the No.1 increasing crime in the United States, it was no surprise to Indiana Attorney General Greg Zoeller that House bill 1121 - which he called "common-sense legislation" - was met with unanimous approval in the statehouse. The six-tiered bill is essentially a microcosm of Zoeller's goals in office, which focus attention on assisting the victims of identity theft through recovery and punishment of the thieves. [Source]

Workplace Privacy

US – Texas House OKs Bill to Protect Teacher Records Reporting

A measure pulling some identifying information about Texas school teachers and employees from public records is headed to the Senate. While many teachers want more privacy, a public watchdog groups says House Bill 2491 leaves parents and students in the dark about Texas educators. Rep. Diane Patrick, R-Arlington, sponsored the House version of the bill. The Friday vote was 107-18 in favor of the bill. Many teacher organizations support the bill and claim it will protect their privacy. But the Freedom of Information Foundation of Texas says the bill does nothing to protect parents from teachers who have questionable pasts. [Source]

+++